For our latest cybersecurity expert interview, we’ve welcomed Stuart Wedge to share his wealth of experience on the topic of cybersecurity. Stuart is currently holding the position of Security Analyst (Policy and Procedure Writer), working in the Security Awareness team, driving change while remaining focused on the task of embedding security culture within the employees. Explore all his insights below.

1. Firstly, thank you for taking part in this campaign, Stuart. Can you tell us about your professional background and areas of interest?

Before getting into that, I would like to thank you for asking me to share my story. My route into the industry was definitely original and learning about it will certainly give future industry entrants food for thought about extra activities they can do or routes they can take to get their first job in Cybersecurity.

So, I joined the British Army way back in 1998, at the super young age of 16. My role in the Army was in the administration of personnel when we were in barracks, but I was still a soldier and would deploy with the troops and carry out the same tasks as them when on operations. I deployed to Kosovo, Northern Ireland, Kuwait and Iraq during my service.

After leaving the Army, I had a number of jobs including Satellite Engineer, Clown, Fire Performer and Survival Instructor before moving into Physical Security where I worked as a Security Officer at busy Nightclubs and Public Houses in Edinburgh City Centre. My past has been tough and a little rough in places. Given that the years are rolling in and my muscles are not as flexible as they once where, I began to look for a career where I could use my brain rather than my brawn.

When the pandemic hit in 2020, I took the opportunity to look for a new direction and found funding for a Higher National Certificate in Cybersecurity. I could study remotely from home and it was an intensive course that would be completed in 5 months. I set my mind to it and hit the books. When the results hit my doorstep, I was super excited to have passed the exam with an A grade.

The technical side of the industry is highly interesting to me but I didn’t have enough hands-on experience to justify a company investing in me as a Penetration Tester. I could see that it was going to take a number of years to get to that stage. Looking at other opportunities within Cyber I found Governance, Risk and Compliance (GRC). Now, this was something I had experience in, not in Tech but in life. I had written policies that would detail how soldiers carried out their duties and had followed security frameworks and took part in audits while carrying out my duties in Physical Security. These were transferable skills that I could apply to Information Security and add a great deal of value to future companies. My focus switched from technical learning to general security knowledge such as learning the foundations of ISO 27001 and EU GDPR.

Hiring managers were finding difficulty seeing my experience during the application process so I set up my own consultancy offering Cybersecurity advice and Gap Analysis in Cyber Essentials which is a security framework used to help companies improve their foundational Information Security in an easy way. From taking two companies through certification, it was easy to show that experience in the next interviews which landed me the offer in my current position.

2. You are currently serving as a Security Analyst. Please tell us about your biggest challenge(s) in this role.

The actual title of my role is Security Analyst (Policy and Procedure Writer) which differs from the normal security analyst role. My responsibilities include collaborating with management and expert personnel throughout the enterprise environment to review and implement change to a great number of security policies and procedures.

This is exciting for me because the words I write will help to improve security culture, guiding thousands of end users on the best practices which will help them provide secure services to over 70,000 business customers. It was difficult at first to get my head around the enterprise environment. I had to figure out how the company was organized and how the different products and services are linked, ultimately trying to figure out how security controls were implemented.

The toughest challenge is keeping track of the work. Each policy has different people who are the experts in that area and each meeting raises a number of points of action which can sometimes lead to a bit of a spiders web trying to keep abreast of everything. Also, there is a steep curve to learning how to write policies in this environment, there has to be a clear message to each section. Technical jargon will make it difficult for non-security personnel to understand. I find this an area where I can excel as not being massively technical myself, I can present the information in a way that makes it easy to read and understandable.

3. According to you, what are the top skills, both technical and soft skills, that are greatly needed as a Security Analyst?

Specific to policy and procedure writing, a good knowledge of MS Word and Excel is definitely the key skill. You have to know how to track changes in your documents, use conditional formatting to highlight key areas of large documents, however, it’s not really a technical job. I don’t monitor any security tools or need to understand code. Where you do need to have a great deal of skill is in the actual writing of the policies. A high level of written communication in English is key. The readers of your documents expect to be able to quickly understand the points you are trying to get across and the points need to be spelt correctly and conform to a high level of grammar. You should also be able to host a meeting of managers, listen effectively and record the points raised in the meeting. Whist listening is important, verbally communicating in a clear and concise manner is imperative.

Whilst it isn’t a technical role, I do require to understand the different security controls which have been implemented by the security team. The company is a provider of Cloud ERP (Enterprise Resource Planning) services and have many products which customers use to control their business solutions. It is definitely a technical field and a good understanding of Cloud services and security controls, in general, will help you get up to speed quickly. I would recommend a foundational understanding of Agile and Scrum as software development companies use these to control the way they work. On the security side of things, the CompTIA Security+ is definitely a good start and will help you understand what the controls are. You don’t need to know how to use the different controls for the most part but you need to know how they work.

Foundational knowledge of security frameworks is one skill that will help you stand out to employers. We implement these controls but not knowing why we implement them would definitely impact your effectiveness. Take a look into Risk as this is the language business executives speak, understand the difference between a vulnerability and a threat, and how the probability of those parameters can impact a business.

I recommend creating a fictional company in the country you reside, looking at what laws and frameworks are applicable. Make a plan to take that company through certification in one or two of the frameworks. This is what I did, and I used that knowledge to sell consultancy services carrying out Gap Analysis and help executives implement the required controls that were not already in place.

4. What advice would you give an IT generalist who is thinking of pursuing a career in information security?

If you are currently working at a company with a security team, reach out and ask if there is anything you can help them with. Seek their advice on ways you can improve your knowledge in the area and they might be able to move you internally and train you in the role. Suggest improvements the company can make to their current policies or procedure which could help improve the company security profile as a whole. Seek funding for training platforms or courses that will enable you to learn skills that will help your transition.

If you are not currently working where this is possible, start training yourself. Spend a couple of hours researching the different roles and career paths within the industry. There is no point in spending months training in a particular discipline when it doesn’t add anything to you when applying for jobs. If you want to be a penetration tester, you need to get involved in CTFs, spend time training on TryHackMe and HackTheBox.

If you want to be Blue Team, the route is not so obvious. If you take the time to look, you can find a great volume of free training on everything you need to get into Cybersecurity provided by people within the industry. These people are adding superb value to the industry and helping many folks like me learn the skills required.

If you network on LinkedIn, you will find a superb community willing to help by donating courses and exam vouchers from organizations like Cyber Supply Drop, a regular free Threat Hunting course from Active Countermeasures, Security Blue Team and TCM Security who do regular discounts and giveaways. If you are looking for free knowledge in the GRC side then Advisera offers free training in ISO 27001 and EU GDPR where you only need to pay if you want to take the exams.

There are so many different platforms and vendors out there, the future Security Analyst will never be able to train on all of the security software that companies are using. Some companies such as Splunk offer free foundational courses on their software, but generally, this is not the case. Don’t go spending thousands on vender specific training, look to the free courses out there, look to the low-cost general skills courses such as the Security+, learn on the Opensource software like pfSense adding Intrusion Detection and Protection to your home lab. Hands-on experience for most roles is certainly more sellable to hiring managers than theoretical understanding.  

5. Cybersecurity is a constant battle, with demand for cyber talent continuing to increase and outpace supply. Where does the situation stand today?

The industry as a whole is very short on experience. The skills gap is not at entry-level, unfortunately. This is however great news for people looking to get their first and second roles in the industry. The way I see it, the people that are currently in the entry-level roles will be progressing quickly and they will fill those positions. This will in turn open up positions for entry-level applicants.

There are many job descriptions where a whole host of certifications and years of experience are required for roles that have been tagged as entry-level. These are normally a wish list that the company has for cyber roles and they are not necessarily entry-level. Don’t be discouraged, this process is long but there are great companies trying to break down the walls. I have a page on my website where I detail things you can do to boost your chances of getting a job.

6. What initiatives organizations can try and hence, encourage cyber talent to fill the rising skills gap.

Firstly: Reduce the cost of training courses and certifications. There are many pressures on people and money is a big factor that prevents some amazing candidates from accessing the training to hit the requirements of companies. If you want a diverse workforce, allow everyone access to quality training.

Secondly: Hire for aptitude and attitude rather than qualifications and experience. A candidate who is putting in an 8-hour shift at work and then spending 6 hours at home studying is going to have a great deal of impact on your overall effectiveness at securing your business, they are driven and want to help you succeed.

Thirdly: Increase your Information Security Budget! We need to fund the security teams at a level that allows them to compete with the criminals. Enable the teams to hire entry-level candidates and train them internally. The people who can keep your customers’ data safe are currently stuck working as chefs, security guards, teachers and labourers. Open the doors.

7. How do you stay up to date with industry news and updates regarding information security and technology? Feel free to share the sources and websites with us.

I would like to point your readers to my website. After landing my first job in the industry I transformed TechSecScot.com to share a huge number of resources and skills that I discovered on my path. It’s not for profit and is just there to help people land that elusive job quicker.

One of the best ways is LinkedIn. There is a vibrant community of industry experts and people looking for jobs in the industry that are constantly posting about the latest threats and vulnerabilities. It’s certainly the first way I normally find out of a change to a security framework.

Podcasts are a great resource. I listen to “Human Factor Security” for Social Engineering stories. “Cyber Security Headlines” for a daily dose of Cyber News. “Breaking into Cybersecurity” for tips and tricks on how to get into the industry. “Darknet Diaries” for stories of Cyber Breaches and stories on physical penetration testing.

YouTube channels that I would like to shout out are Cyber Insecurity who host a live stream on Cyber subjects and often include tips to help you get a job, Simply Cyber has a mass of videos about breaking into Cyber and the skills required, Outpost Gray regularly post interviews with industry experts.

Thank you all for taking the time to read this. Please feel free to connect with me on LinkedIn. Have a great day and I hope your journey into Cyber is fast and fun!

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.